Granting full administrative access to all resources on a queue manager

Grant full administrative access to all the resources on a queue manager, to each user or group of users with a business need for it.

About this task

You can use the Add Role Based Authorities wizard or the appropriate commands for your operating system.

[UNIX, Linux, Windows, IBM i]On Multiplatforms, you can also use the SET AUTHREC command.

[AIX, Linux, Windows]Notes:
  1. If you are using runmqsc to administer the queue manager instead of the IBM® MQ Explorer, you must grant authority to inquire, get, and browse the SYSTEM.MQSC.REPLY.QUEUE, and you do not need to grant any authorities on the SYSTEM.MQEXPLORER.REPLY.MODEL queue.
  2. When giving a user access to all resources on a queue manager there are some commands that the user cannot run, unless that user has read access to the qm.ini file. This is due to restrictions on non mqm users being able to read the qm.ini file.
    The user cannot issue the following commands unless you have granted that user read access to the qm.ini file:
    • Defining a channel that is configured to use TLS
    • Defining a channel using auto-configuration insertion variables defined in qm.ini

Procedure

  • If you are using the wizard, in the IBM MQ Explorer Navigator pane, right-click the queue manager and click Object Authorities > Add Role Based Authorities.
    The Add Role Based Authorities wizard opens.
  • [AIX][Linux] For AIX® and Linux® systems, issue the following commands:
    Note: When using a name that includes wildcard characters, wrapping the name in single or double quotation marks can be important, depending on how a script is being used and what the parameters are. Single quotation marks, which are used in the code examples, always work for UNIX, AIX, Linux, and Windows on PowerShell. For scripts run from the Windows command prompt, use double quotation marks.
    setmqaut -m QMgrName -n '**' -t queue -g GroupName +alladm +browse
setmqaut -m QMgrName -n @class -t queue -g GroupName +crt
setmqaut -m QMgrName -n SYSTEM.ADMIN.COMMAND.QUEUE -t queue -g GroupName +dsp +inq +put
setmqaut -m QMgrName -n SYSTEM.MQEXPLORER.REPLY.MODEL -t queue -g GroupName +dsp +inq +get +put
setmqaut -m QMgrName -n '**' -t topic -g GroupName +alladm
setmqaut -m QMgrName -n @class -t topic -g GroupName +crt
setmqaut -m QMgrName -n '**' -t channel -g GroupName +alladm
setmqaut -m QMgrName -n @class -t channel -g GroupName +crt
setmqaut -m QMgrName -n '**' -t clntconn -g GroupName +alladm
setmqaut -m QMgrName -n @class -t clntconn -g GroupName +crt
setmqaut -m QMgrName -n '**' -t authinfo -g GroupName +alladm
setmqaut -m QMgrName -n @class -t authinfo -g GroupName +crt
setmqaut -m QMgrName -n '**' -t listener -g GroupName +alladm
setmqaut -m QMgrName -n @class -t listener -g GroupName +crt
setmqaut -m QMgrName -n '**' -t namelist -g GroupName +alladm
setmqaut -m QMgrName -n @class -t namelist -g GroupName +crt
setmqaut -m QMgrName -n '**' -t process -g GroupName +alladm
setmqaut -m QMgrName -n @class -t process -g GroupName +crt
setmqaut -m QMgrName -n '**' -t service -g GroupName +alladm
setmqaut -m QMgrName -n @class -t service -g GroupName +crt
setmqaut -m QMgrName -t qmgr -g GroupName +alladm +connect

    See setmqaut for more information on @class

  • [Windows] For Windows systems, issue the same commands as for AIX and Linux systems, but using the profile name @CLASS instead of @class.
  • [IBM i] For IBM i, issue the following command: 
    GRTMQMAUT OBJ(*ALL) OBJTYPE(*ALL) USER(' GroupName ') AUT(*ALLADM) MQMNAME(' QMgrName ')
  • [z/OS] For z/OS®, issue the following commands: 
    RDEFINE MQADMIN QMgrName.*.** UACC(NONE)
PERMIT QMgrName.*.** CLASS(MQADMIN) ID(GroupName) ACCESS(ALTER)
    The variable names have the following meanings:
    QMgrName
    The name of the queue manager.
    [z/OS]On z/OS, this value can also be the name of a queue sharing group.
    GroupName
    The name of the group to be granted access.